T133147-part2-master
No One
Actions

Authored By

	Bawolff
	Jul 18 2016, 10:36 PM

Size

1 KB

Referenced Files

None

Subscribers

None

T133147-part2-master
View Options

	From 792b2351285d56e9990f8a2742ee2636862ccf83 Mon Sep 17 00:00:00 2001
	From: Brian Wolff <bawolff+wn@gmail.com>
	Date: Wed, 20 Apr 2016 13:41:20 -0400
	Subject: [PATCH] Escape '<' and ']]>' in inline <style> blocks

	This is to prevent people from closing the <style> tag, and
	then doing arbitrary js-y things. In particular, this is needed
	for when previewing user css pages.

	This does not escape '>' since its used as the child selector
	in css, and generally speaking, '>' is safe inside the contents
	of elements.

	Bug: T133147
	Change-Id: If024398d7bd4b578ad7f8c74367787f5b19eb9d7
	---
	includes/Html.php \| 11 +++++++++++
	1 file changed, 11 insertions(+)

	diff --git a/includes/Html.php b/includes/Html.php
	index e5128d1..39c237a 100644
	--- a/includes/Html.php
	+++ b/includes/Html.php
	@@ -627,6 +627,17 @@ class Html {
	* @return string Raw HTML
	*/
	public static function inlineStyle( $contents, $media = 'all' ) {
	+ // Don't escape '>' since that is used
	+ // as direct child selector.
	+ // Remember, in css, there is no "x" for hexadecimal escapes, and
	+ // the space immediately after an escape sequence is swallowed.
	+ $contents = strtr( $contents, [
	+ '<' => '\3C ',
	+ // CDATA end tag for good measure, but the main security
	+ // is from escaping the '<'.
	+ ']]>' => '\5D\5D\3E '
	+ ] );
	+
	if ( preg_match( '/[<&]/', $contents ) ) {
	$contents = "/<![CDATA[/$contents/]]>/";
	}
	--
	2.0.1

Attached To	Mode
T133070: MediaWiki 1.27.1 security release	Attached	Detach File
T133147: XSS via CSS user subpage preview feature	Attached	Detach File